youtube-search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may handle a service account setup flow and gain access to a TranscriptAPI key that can spend the account's API credits.
The skill can have the agent create a TranscriptAPI account, handle the user's email and OTP, and obtain an API key. This is disclosed and purpose-aligned, but it is still delegated account and credential handling.
You will handle the full signup on the user's behalf... register... verify... exchanges the OTP for the API key.
Only allow account creation if you trust the TranscriptAPI service and this skill's setup flow; revoke or rotate the key if you no longer use it.
The API key may remain available to the agent or shell environment after the initial task, enabling future TranscriptAPI requests without re-entering the key.
The setup guide asks the agent to persist the API key broadly enough for future sessions. This is expected for an API-backed skill, but the storage location is environment-dependent and should be protected.
Store it persistently using whatever method is correct for this environment... available in future sessions, including non-interactive shells
Use the platform's secret manager or another secure credential store where possible, avoid plain-text shell-profile storage, and remove the key when no longer needed.
Relevant research prompts may cause the agent to send search terms or video identifiers to transcriptapi.com and use API credits.
The skill allows the agent to call the external search/transcript API when it decides YouTube is relevant. This is disclosed and aligned with the skill's purpose, but it can consume API credits and send the research query to the provider.
Also use proactively when the user wants to research a topic and YouTube is a good source.
Install only if you are comfortable with TranscriptAPI receiving those search requests; ask the agent to confirm before API use if credit consumption or privacy matters.